Question:
What functions are provided by the Syslog selection tab for the router?
Answer:
Syslog is a service that collects status messages from the network at a central location.
Syslog transfers the status messages as plain text, which is a far more convenient service than SNMP traps, for example, as SNMP offers only a small number of standardized traps and also because SNMP requires the delivery of a MIB in order for the device-related traps to be translated.
Furthermore, Syslog classifies messages according to priority and facility, which enables particular messages to be sent or suppressed.
The size of the syslog buffer depends on the available memory (RAM):
- more than 32 MB RAM => 2048 syslog messages
- more than 16 MB RAM => 1024 syslog messages
- more than 4 MB RAM => 256 syslog messages
- less than 4 MB RAM => 100 syslog messages
E.g. a LANCOM 1721 + VPN has 32 MB RAM avaliable and thus is able to store 2048 syslog messages.
Classifying Syslog messages:
Syslog messages are divided into various groups (facilities) and are sorted according to priority within a group.
The Syslog daemon (recipient of Syslog messages) can be instructed to display messages of a certain priority for each group, i.e. all messages of the same or of a higher priority will be displayed.
An example of a well known Syslog daemon is: Kiwi Syslog daemon under http://www.kiwisyslog.com/index.htm
Facilities:
As mentioned above, Syslog messages are divided according to priority and message groups. This additional option is known as Facilities and indicates at least the message source. Syslog defines the following facilities (LANCOM facilities in bold):
KERNEL Operating system messages (e.g. boot messages)
USER Freely definable message
MAIL Messages from the mail system
DAEMON Messages from a system daemon (driver)
AUTH Login messages. The LANCOM uses this to report logins via PPP
SYSLOG Messages from the system daemon (normally --- MARK ---)
LPR Line Printer Subsystem messages
NEWS News service messages
UUCP UUCP service messages
CRON Timer server service messages
AUTHPRIV Private authentication system messages. The LANCOM uses this to report console logins (Telnet, SNMP, TFTP, http)
SYSTEM 0 – 4 Reserved
LOCAL 0 – 7 Not yet defined facilities. These are used to code LANCOM-specific facilities.
Syslog message structure:
Syslog messages are transmitted in plain text (ASCII). The classification by priority and facility is a decimal number in angle brackets placed as a prefix before the message. The Syslog daemon uses this number to decide how to handle the message. When the message is stored the number is removed so only the message remains.
To be able to identify where the message came from, the LANCOM adds the message source and the alarm level to the message as plain text. Thus a Syslog message appears as follows (note: in the PF field, source and level are not reduced):
<PF>SOURCE_LEVEL: message
For example:
<81>ADMIN_ALERT: Login from outband failed
<149>ADMIN_INFO: Firmware upload started from 10.0.0.170 {ntserver} via TFTP |
|
